ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > Resources > Downloads > Windows > Antivirus, Firewall, & Spyware > Corporate Security Software

Resources Downloads

Microsoft IIS5 "Session ID Cookie Marking" Vulnerability Patch (MS00-080)

		License	Free
		Requirements	Windows 2000, Internet Information server 5.0
Downloads	217	Limitations	None
Publisher	Microsoft	File Size	550k
Date added	26 Oct 2000		Check your speed

Publisher's Description

Report a broken link

This patch eliminates a security vulnerability in Microsoft Internet Information server that would allow a malicious user to hijack another user's secure Web session under a very restricted set of circumstances.

IIS supports the use of a Session ID cookie to track the current session identifier for a Web session. However, ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same Web site use the same session ID. If a user initiated a session with a secure Web page, a session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take.

The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user's communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page; only the legitimate user could do that. The patch eliminates the vulnerability by adding support for secure Session ID cookies in ASP pages. (Secure cookies already are supported for all other types of cookies, under all other technologies in IIS).

Read the FAQ for more information.

Did you find this download useful?
23 out of 46 users found this download useful

People who downloaded this software also downloaded...

Web Form SPAM Protection 1.5.1

Protect your files against spam spiders by encrypting your Web form code.

More info

Download

Sa4o - SafestMail4Outlook 2

Protect your e-mail against unsolicited messages and spams.

More info

Download

SolidShare 2.6.11

Connect anyone on your network to the Internet with one ISP account and one modem.

More info

Download

RIP Killer Popup Blocker 3.12

Keep your surfing private while stopping annoying pop-ups and Flash ads.

More info

Download

SpyWall Anti-Spyware 1.4.3.1

Remove spyware and keep them out with a browser sandbox.

More info

Download

Safe AutoLogon 1.5.93

Save Windows account information encrypted in AES/Triple-DES and log on automatically.

More info

Download

n-Pass2Go 2.7.0.465

Store and manage your passwords and encrypted data on any removable device.

More info

Download

Watch N Catch 1.0

Protect your assets with an IP-based video surveillance system.

More info

Download

EasyCryptor 1

Encrypt and decrypt any files and send results to your e-mail address.

More info

Download

Child Computer Lock 1.6

Protect your privacy by locking your computer.

More info

Download

Embarcadero Power SQL

Embarcadero PowerSQL simplifies SQL development for application developers with many features for improving productivity and reducing errors.

Downloads: 4,192
Requirements:
License: Vendor registration required
Publisher: Embarcadero
Size: 0

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.